RSA Security Water Heater 163 User Guide

RSA SecurID Ready Implementation Guide  
Last Modified November 29, 2001  
1. Partner Information  
Partner Name  
Web Site  
Stonesoft Corp.  
Product Name  
Version & Platform  
Product Description  
StoneGate Firewall  
Version 1.6.3  
StoneGate is the first firewall and VPN solution offering  
high security, high performance and availability. It features:  
An embedded OS for increased security.  
Multiple ISP and VPN load balancing to ensure continuous  
network connectivity.  
Advanced centralized administration tools for enterprise -  
wide management of the firewall infrastructure.  
Firewall  
Product Category  
2. Contact Information  
Sales Contact  
Support Contact  
+358 9 4767 11  
E-mail  
Phone  
Web  
+358 9 4767 11  
1
 
4. Product Requirements  
Hardware requirements  
Component Name: StoneGate Management system  
CPU make/speed required  
Pentium processor, suggested minimum processor speed  
500 MHz  
Memory  
HD space  
128 MB minimum, 256 MB or more recommended  
4GB for evaluation (20 GB or more for production use).  
Component Name: StoneGate Firewall Engine  
CPU make/speed required  
Pentium processor, suggested minimum processor speed  
300 MHz  
128 MB  
1 GB  
Memory  
HD space  
Software requirements  
Component Name: StoneGate Management System  
Operating System  
Windows NT 4.0  
Windows 2000  
Sun Solaris  
Version (Patch-level)  
Service Pack 6a, English language version  
Service Pack 2, English language version  
2.6 & 2.7  
RedHat Linux  
7.0 and 7.1, English language version  
Component Name: StoneGate Firewall engine  
Operating System  
Linux–based, provided  
with product  
Version (Patch-level)  
1.6.3  
3
 
5. Partner ACE/Agent configuration  
Supported authentication types with RSA SecurID product  
Client-initiated authentication  
Client initiated authentication means that the user starts the authentication process. It can be  
done with two tools: Authentication Client software (part of StoneGate VPN Client software)  
or using Telnet to connect to the firewall cluster on port 2543.  
It is possible to authorize the client's IP address for a period of time with client initiated  
authentication. It is also possible to authorize the next opening connection from the client.  
The authorization part is specified in the access rule base.  
Firewall-initiated authentication  
Firewall-initiated authentication means that the firewall cluster starts the authentication  
process. It can be used only with the Authentication Client software. This software is part of  
StoneGate VPN Client software.  
In firewall initiated authentication the firewall makes the connection to the client. This  
naturally requires that the client is reachable, e.g. there can't be NAT between firewall  
engine and the client.  
With firewall initiated authentication it is also possible to authorize either the client's IP  
address or the current connection.  
No software, other than StoneGate Management system and StoneGate firewall -engine are  
required to support Client initiated authentication, though the Authentication Client software  
included in the StoneGate VPN Client can be used.  
For Firewall initiated authentication support the StoneGate Authentication Client software  
MUST be used.  
4
 
StoneGate Firewall / RSA SecurID Configuration – User Authentication  
The following steps can be carried out using the Stonegate User Manager GUI:  
Create an Authentication service (type can be Radius or Tacacs+).  
Create Authentication Server/Servers with correct type.  
5
 
All Created Authentication Servers must be bound to the Authentication Service.  
Having created your Service(s) and Server(s), you must now create users within the  
StoneGate user Database.  
If you want to use ACE/Server authentication as your default Authentication Service for all  
users, create a special user with the UserName: *external* within the StoneGate user  
database and bind it to the previously created Authentication Service.  
6
 
Using this generic method of authentication, *external* is the only user you will be required  
to create within the StoneGate user database.  
If there is a need to configure Authentication Services on a per user basis, it can be done by  
creating individual user records within the StoneGate user database and binding them to the  
appropriate Authentication Service.  
Using the Security Policy Manager, associate the appropriate access rules to the users or  
user group being authenticated by the RSA ACE/Server.  
More detailed information on using StoneGate Firewall user Access and authentication rules  
can be found in the StoneGate Firewall Administrator’s Guide. See Chapter 10: Defining  
users and user authentication.  
7
 
Example SecurID enabled login sequences  
Firewall initiated authentication with ACE/Server user account set to New PIN-mode.  
8
 
9
 
6. Certification Checklist  
Date Tested: November 22, 2001  
Product  
Tested Version  
ACE/Server  
ACE/Agent  
5.0.1  
N/A  
StoneGate firewall & VPN Client  
1.6.3  
Test  
ACE  
N/A  
RADIUS  
1st time auth. (node secret creation)  
N/A  
New PIN mode:  
System-generated  
Non-PINPAD token  
PINPAD token  
N/A  
N/A  
P
P
User-defined (4-8 alphanumeric)  
Non-PINPAD token  
Password  
N/A  
N/A  
P
P
User-defined (5-7 numeric)  
Non-PINPAD token  
PINPAD token  
SoftID token  
Deny 4 digit PIN  
Deny Alphanumeric  
User-selectable  
N/A  
N/A  
N/A  
N/A  
N/A  
P
P
P
P
P
Non-PINPAD token  
PINPAD token  
N/A  
N/A  
P
P
PASSCODE  
16 Digit PASSCODE  
4 Digit Password  
Next Tokencode mode  
Non-PINPAD token  
PINPAD token  
N/A  
N/A  
P
P
N/A  
N/A  
P
P
N/A  
N/A  
N/A  
P
N/A  
P
Replica Servers  
User Lock Test (ACE Lock Function)  
No ACE/Server  
10  
 
7. Known Issues  
If a clustered StoneGate firewall solution is used with RSA SecurID then an Agent Host  
entry must be defined within the ACE/Server database for each firewall cluster member.  
The Firewall cluster members share configured authentication service/server information.  
As a result of this when configuring Agents Hosts on the ACE/Server database, the  
same Shared Secret value must be used for each cluster member.  
11  
 

Raritan Computer Server DKX2 108 User Guide
Raypak Boiler 2342BE User Guide
RCA Flat Panel Television PHD50500 User Guide
Renesas Computer Hardware H8S 2646 Series User Guide
Roland Electronic Keyboard JUNO Gi User Guide
Saitek Games X45 User Guide
Samsung Flat Panel Television 460DR 2 User Guide
Samsung Security Camera SCC B531xBN User Guide
Samsung Vacuum Cleaner SU 8500 User Guide
Sanyo Battery Charger CR17450E R User Guide